second-brain
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill directs the agent to interact with a shell script (
ensue-api.sh) by passing complex JSON arguments as a single-quoted string. This pattern is highly susceptible to command injection if the agent interpolates user-provided content containing single quotes or shell metacharacters without rigorous escaping. - PROMPT_INJECTION (MEDIUM): This skill creates a significant indirect prompt injection surface (Category 8). Ingestion points: Data enters the system via
create_memoryand is retrieved viadiscover_memories. Boundary markers: The skill includes 'Interaction Rules' such as drafting entries and requiring confirmation, which mitigate accidental obedience but do not prevent adversarial data from influencing future agent logic. Capability inventory: The skill uses shell execution (bash), file path access ({baseDir}), and external network communication (Ensue API). Sanitization: There is no evidence of sanitization or content validation before storing or retrieving memories. - DATA_EXFILTRATION (MEDIUM): The skill explicitly handles and transmits user-provided knowledge to an external third-party service (
https://ensue-network.ai). While this is the stated purpose, the lack of input validation could allow an attacker to trick the agent into sending sensitive local configuration or system details to this external endpoint.
Recommendations
- AI detected serious security threats
Audit Metadata